fix(routes): PATCH /accounts/{id} with invalid session (#215)

routes/accounts.js

@@ -199,13 +199,21 @@ function accountRoutes (server, options, next) {
       var password = request.payload.data.attributes.password
       var profile = request.payload.data.attributes.profile
 
-      return accounts.update(request.params.id, {
-        username: username,
-        password: password,
-        profile: profile
-      }, {
-        sessionId: sessionId,
-        include: request.query.include
+      return admins.validateSession(sessionId)
+
+      .catch(function () {
+        throw errors.INVALID_SESSION
+      })
+
+      .then(function () {
+        return accounts.update(request.params.id, {
+          username: username,
+          password: password,
+          profile: profile
+        }, {
+          sessionId: sessionId,
+          include: request.query.include
+        })
       })
 
       .then(function (account) {

tests/integration/routes/accounts/patch-accounts-test.js

@@ -89,8 +89,19 @@ getServer(function (error, server) {
       })
     })
 
-    group.test('CouchDB Session invalid', {todo: true}, function (t) {
-      t.end()
+    group.test('CouchDB Session invalid', function (t) {
+      var options = _.defaultsDeep({
+        headers: {
+          authorization: 'Session InvalidKey'
+        }
+      }, routeOptions)
+      server.inject(options, function (response) {
+        t.is(response.statusCode, 401, 'returns 401 status')
+        t.is(response.result.errors.length, 1, 'returns one error')
+        t.is(response.result.errors[0].title, 'Unauthorized', 'returns "Unauthorized" error')
+        t.is(response.result.errors[0].detail, 'Session invalid', 'returns "Session invalid" message')
+        t.end()
+      })
     })
 
     group.test('Not an admin', {todo: true}, function (t) {